Merge pull request #33 from bornlogic/feature/validate-scopes-consider-user-role

VictorFZ · web-flow · commit 8ad7b1f2f430 · 2025-02-06T11:25:41.000-03:00
fix validation
diff --git a/Bornlogic.IdentityServer/Validation/Default/DefaultResourceValidator.cs b/Bornlogic.IdentityServer/Validation/Default/DefaultResourceValidator.cs
@@ -72,30 +72,27 @@ public virtual async Task<ResourceValidationResult> ValidateRequestedResourcesAs
                 return result;
             }
 
-            var subjectIdOrDefault = request.Subject?.GetSubjectIdOrDefault();
+            var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
+            var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames);
 
-            if (!string.IsNullOrEmpty(subjectIdOrDefault))
+            foreach (var scope in parsedScopesResult.ParsedScopes)
             {
-                var hasRoleToBypassScopeValidation = await _clientUserRoleService.UserHasLoginByPassRoleInClient(subjectIdOrDefault, request.Client, _clientRoleOptions?.Value?.ValidUserRolesToBypassClientScopeValidation);
+                await ValidateScopeAsync(request.Client, resourcesFromStore, scope, result, request.RequiredRequestScopes.Any(a => a == scope.ParsedName));
+            }
 
-                if (!hasRoleToBypassScopeValidation)
-                {
-                    var scopeNames = parsedScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
-                    var resourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(scopeNames);
+            var requiredRequestScopeNames = parsedRequiredRequestScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
+            var requiredRequestResourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(requiredRequestScopeNames);
 
-                    foreach (var scope in parsedScopesResult.ParsedScopes)
-                    {
-                        await ValidateScopeAsync(request.Client, resourcesFromStore, scope, result, request.RequiredRequestScopes.Any(a => a == scope.ParsedName));
-                    }
+            foreach (var scope in parsedRequiredRequestScopesResult.ParsedScopes)
+            {
+                await ValidateRequestRequiredScopeAsync(request.Client, requiredRequestResourcesFromStore, scope, result);
+            }
 
-                    var requiredRequestScopeNames = parsedRequiredRequestScopesResult.ParsedScopes.Select(x => x.ParsedName).Distinct().ToArray();
-                    var requiredRequestResourcesFromStore = await _store.FindEnabledResourcesByScopeAsync(requiredRequestScopeNames);
+            var subjectIdOrDefault = request.Subject?.GetSubjectIdOrDefault();
 
-                    foreach (var scope in parsedRequiredRequestScopesResult.ParsedScopes)
-                    {
-                        await ValidateRequestRequiredScopeAsync(request.Client, requiredRequestResourcesFromStore, scope, result);
-                    }
-                }
+            if (!string.IsNullOrEmpty(subjectIdOrDefault) && await _clientUserRoleService.UserHasLoginByPassRoleInClient(subjectIdOrDefault, request.Client, _clientRoleOptions?.Value?.ValidUserRolesToBypassClientScopeValidation))
+            {
+                result.InvalidScopes.Clear();
             }
 
             if (result.InvalidScopes.Count > 0)
